Install encryption with Helm AIStor Operator: ObjectStore and KeyManager - allanrogerr/public GitHub Wiki
helm install --namespace aistor --create-namespace \
operators aistor/operators \
--set global.license="<license string>" \
--set operators.object-store.disabled=false \
--set operators.adminjob.disabled=false \
--set operators.keymanager.disabled=false
helm show values aistor/keymanager > values_keymanager.yaml
docker run quay.io/minio/aistor/minkms:latest --soft-hsm
hsm:aes256:HSMKEYVALUE
helm install my-keymanager aistor/keymanager -n my-keymanager --create-namespace -f values_keymanager.yaml --set hsm.hsm="hsm:aes256:HSMKEYVALUE "
kubectl -n my-keymanager get keymanager
kubectl -n aistor get deploy
kubectl -n aistor get pods
kubectl -n aistor logs keymanager-operator-...
kubectl -n my-keymanager get keymanager mykms --show-labels
kubectl -n my-keymanager label keymanager mykms app.kubernetes.io/managed-by-
kubectl -n my-keymanager delete sts
kubectl -n my-keymanager get pods
helm show values aistor/object-store > values_objectstore.yaml
helm upgrade my-objectstore aistor/object-store -n my-objectstore --create-namespace -f values_objectstore.yaml
kubectl -n my-objectstore get pods
See https://docs.min.io/aistor/object-store/reference/aistor-server/settings/server-side-encryption/#minio-key-management-server-kms
operator/examples-aistor/readme.md
Get API key
kubectl get secret -n my-keymanager mykms-hsm-secret -ojson | jq -r '.data.apiKey' | base64 --decode
k1:3ggk0t6mbhi4L07D2_Lkgdw20-4j1w2N3fbg-ZyeKV8
Create enclave
kubectl exec -n my-keymanager mykms-0 -- ./minkms add-enclave myminio-enclave -a k1:3ggk0t6mbhi4L07D2_Lkgdw20-4j1w2N3fbg-ZyeKV8 -k
Recreate config
kubectl -n my-objectstore get secret myminio-env-configuration -ojson | jq -r '.data."config.env"' | base64 -d
kubectl -n my-objectstore delete secret/myminio-env-configuration
cat <<EOF > myminio-env-configuration.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
namespace: my-objectstore
name: myminio-env-configuration
stringData:
config.env: |-
export MINIO_ROOT_USER="minio"
export MINIO_ROOT_PASSWORD="minio123"
export MINIO_KMS_SECRET_KEY_FILE=""
export MINIO_KMS_SERVER="mykms-keymanager-hl.my-keymanager.svc.cluster.local:7373"
export MINIO_KMS_API_KEY="k1:3ggk0t6mbhi4L07D2_Lkgdw20-4j1w2N3fbg-ZyeKV8"
export MINIO_KMS_ENCLAVE="myminio-enclave"
export MINIO_KMS_SSE_KEY="myminio-key"
EOF
kubectl create -f myminio-env-configuration.yaml
Restart minio, establish port formward
kubectl -n my-objectstore delete sts myminio-pool-0
k -n my-objectstore delete pods myminio-pool-0-{0..3}
k -n my-objectstore get pods
k -n my-objectstore port-forward svc/minio 9000 --address 0.0.0.0 &
Test encryption
./mc rb --force local/test --insecure
./mc mb local/test --insecure
./mc admin kms key create local my-kms-key --insecure
./mc encrypt set sse-kms my-kms-key local/test --insecure
echo "hello world" > test.txt
./mc cp test.txt local/test/test.txt --insecure
./mc stat local/test/test.txt --insecure
Option 2 - Should be possible per https://github.com/minio/aistor/blob/master/docs/aistor.min.io_v1.md#encryption
kubectl patch objectstore myminio -n my-objectstore --type='merge' -p '{"spec": {"encryption": {"name": "mykms", "namespace": "my-keymanager"}}}'